libselinux / libsemanage: work around FD_CLOEXEC and SOCK_CLOEXEC absence

[ CQID: WIND00438478 ] [ CQID: WIND00439485 ] Turns out some of the truly old hosts don't even really recognize FD_CLOEXEC and most of the older ones don't know about SOCK_CLOEXEC. Work around each (define FD_CLOEXEC to something sensible, simply don't use SOCK_CLOEXEC, produce warnings in either event). Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
author: Joe MacDonald <joe.macdonald@windriver.com> 2013-10-15 10:27:27 -0400
committer: Mark Hatle <mark.hatle@windriver.com> 2013-11-14 19:28:12 +0000
commit: 0e405f98266b48969c2173d032878cc6b2893fcb (patch)
tree: d6f0c97e571acb7a2525f80c50d0b86e718cc7a0
parent: 7b142317419beb97f4815159177a3dd96c76c282 (diff)
download: meta-selinux-0e405f98266b48969c2173d032878cc6b2893fcb.tar.gz
5 files changed, 113 insertions, 0 deletions
diff --git a/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch b/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
new file mode 100644
index 0000000..1fa1fba
--- /dev/null
+++ b/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
@@ -0,0 +1,35 @@
+From 9a843a025fb0eaad537eb9dce28da539cf2cb9c2 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe.macdonald@windriver.com>
+Date: Tue, 15 Oct 2013 10:14:41 -0400
+Subject: [PATCH 2/3] libselinux: define FD_CLOEXEC as necessary
+In truly old systems, even FD_CLOEXEC may not be defined.  Produce a
+warning and duplicate the #define for FD_CLOEXEC found in
+asm-generic/fcntl.h on more modern platforms.
+Uptream-Status: Inappropriate
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+---
+ libselinux/src/setrans_client.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/src/setrans_client.c b/src/setrans_client.c
+index f9065bd..e07a779 100644
+--- a/src/setrans_client.c
+++ b/src/setrans_client.c
+@@ -38,6 +38,11 @@ static pthread_key_t destructor_key;
+ static int destructor_key_initialized = 0;
+ static __thread char destructor_initialized;
+ 
+#ifndef FD_CLOEXEC
+#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors
+#define FD_CLOEXEC 1
+#endif
+
+ /*
+  * setransd_open
+  *
+-- 
+1.7.10.4
diff --git a/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
new file mode 100644
index 0000000..14f0ce9
--- /dev/null
+++ b/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
@@ -0,0 +1,40 @@
+From 193d42c8312cb8b189745696065b3aa5bbcc6968 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe.macdonald@windriver.com>
+Date: Tue, 15 Oct 2013 10:07:43 -0400
+Subject: [PATCH 1/3] libselinux: make SOCK_CLOEXEC optional
+libselinux/src/setrans_client.c checks for the existence of SOCK_CLOEXEC
+before using it, however libselinux/src/avc_internal.c does not.  Since
+SOCK_CLOEXEC suffers the same problem as O_CLOEXEC on some older
+platforms, we need to ensure we protect the references it it in the same
+way.
+Uptream-Status: Inappropriate
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+---
+ libselinux/src/avc_internal.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/src/avc_internal.c b/libselinux/src/avc_internal.c
+index f735e73..eb0599a 100644
+--- a/src/avc_internal.c
+++ b/src/avc_internal.c
+@@ -60,7 +60,13 @@ int avc_netlink_open(int blocking)
+        int len, rc = 0;
+        struct sockaddr_nl addr;
+ 
+-       fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_SELINUX);
+       fd = socket(PF_NETLINK, SOCK_RAW
+#ifdef SOCK_CLOEXEC
+               | SOCK_CLOEXEC
+#else
+#warning SOCK_CLOEXEC undefined on this platform, this may leak file descriptors
+#endif
+               , NETLINK_SELINUX);
+        if (fd < 0) {
+                rc = fd;
+                goto out;
+-- 
+1.7.10.4
diff --git a/recipes-security/selinux/libselinux_2.1.13.bb b/recipes-security/selinux/libselinux_2.1.13.bb
index 28b1ff1..caed650 100644
--- a/recipes-security/selinux/libselinux_2.1.13.bb
+++ b/recipes-security/selinux/libselinux_2.1.13.bb
@@ -13,4 +13,6 @@ SRC_URI += "\
        file://libselinux-pcre-link-order.patch \
        file://libselinux-drop-Wno-unused-but-set-variable.patch \
        file://libselinux-make-O_CLOEXEC-optional.patch \
+        file://libselinux-make-SOCK_CLOEXEC-optional.patch \
+        file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
        "
diff --git a/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch b/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch
new file mode 100644
index 0000000..7be4381
--- /dev/null
+++ b/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch
@@ -0,0 +1,35 @@
+From e783080f30e00d00800ff3491d88c62b2a1c637b Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe.macdonald@windriver.com>
+Date: Tue, 15 Oct 2013 10:17:38 -0400
+Subject: [PATCH 3/3] libsemanage: define FD_CLOEXEC as necessary
+In truly old systems, even FD_CLOEXEC may not be defined.  Produce a
+warning and duplicate the #define for FD_CLOEXEC found in
+asm-generic/fcntl.h on more modern platforms.
+Uptream-Status: Inappropriate
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+---
+ libsemanage/src/semanage_store.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
+index 57ef49f..488a14a 100644
+--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
+@@ -65,6 +65,11 @@ static const char *DISABLESTR="disabled";
+ 
+ #define TRUE 1
+ 
+#ifndef FD_CLOEXEC
+#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors
+#define FD_CLOEXEC 1
+#endif
+
+ enum semanage_file_defs {
+        SEMANAGE_ROOT,
+        SEMANAGE_TRANS_LOCK,
+-- 
+1.7.10.4
diff --git a/recipes-security/selinux/libsemanage_2.1.10.bb b/recipes-security/selinux/libsemanage_2.1.10.bb
index dcd3037..900d608 100644
--- a/recipes-security/selinux/libsemanage_2.1.10.bb
+++ b/recipes-security/selinux/libsemanage_2.1.10.bb
@@ -13,4 +13,5 @@ SRC_URI += "\
        file://libsemanage-fix-path-len-limit.patch \
        file://libsemanage-fix-path-nologin.patch \
        file://libsemanage-drop-Wno-unused-but-set-variable.patch \
+        file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \
        "
author	Joe MacDonald <joe.macdonald@windriver.com>	2013-10-15 10:27:27 -0400
committer	Mark Hatle <mark.hatle@windriver.com>	2013-11-14 19:28:12 +0000
commit	0e405f98266b48969c2173d032878cc6b2893fcb (patch)
tree	d6f0c97e571acb7a2525f80c50d0b86e718cc7a0
parent	7b142317419beb97f4815159177a3dd96c76c282 (diff)
download	meta-selinux-0e405f98266b48969c2173d032878cc6b2893fcb.tar.gz

diff --git a/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch b/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch new file mode 100644 index 0000000..1fa1fba --- /dev/null +++ b/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
@@ -0,0 +1,35 @@
		1	From 9a843a025fb0eaad537eb9dce28da539cf2cb9c2 Mon Sep 17 00:00:00 2001
		2	From: Joe MacDonald <joe.macdonald@windriver.com>
		3	Date: Tue, 15 Oct 2013 10:14:41 -0400
		4	Subject: [PATCH 2/3] libselinux: define FD_CLOEXEC as necessary
		5
		6	In truly old systems, even FD_CLOEXEC may not be defined. Produce a
		7	warning and duplicate the #define for FD_CLOEXEC found in
		8	asm-generic/fcntl.h on more modern platforms.
		9
		10	Uptream-Status: Inappropriate
		11
		12	Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
		13	---
		14	libselinux/src/setrans_client.c \| 5 +++++
		15	1 file changed, 5 insertions(+)
		16
		17	diff --git a/src/setrans_client.c b/src/setrans_client.c
		18	index f9065bd..e07a779 100644
		19	--- a/src/setrans_client.c
		20	+++ b/src/setrans_client.c
		21	@@ -38,6 +38,11 @@ static pthread_key_t destructor_key;
		22	static int destructor_key_initialized = 0;
		23	static __thread char destructor_initialized;
		24
		25	+#ifndef FD_CLOEXEC
		26	+#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors
		27	+#define FD_CLOEXEC 1
		28	+#endif
		29	+
		30	/*
		31	* setransd_open
		32	*
		33	--
		34	1.7.10.4
		35


diff --git a/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch new file mode 100644 index 0000000..14f0ce9 --- /dev/null +++ b/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
@@ -0,0 +1,40 @@
		1	From 193d42c8312cb8b189745696065b3aa5bbcc6968 Mon Sep 17 00:00:00 2001
		2	From: Joe MacDonald <joe.macdonald@windriver.com>
		3	Date: Tue, 15 Oct 2013 10:07:43 -0400
		4	Subject: [PATCH 1/3] libselinux: make SOCK_CLOEXEC optional
		5
		6	libselinux/src/setrans_client.c checks for the existence of SOCK_CLOEXEC
		7	before using it, however libselinux/src/avc_internal.c does not. Since
		8	SOCK_CLOEXEC suffers the same problem as O_CLOEXEC on some older
		9	platforms, we need to ensure we protect the references it it in the same
		10	way.
		11
		12	Uptream-Status: Inappropriate
		13
		14	Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
		15	---
		16	libselinux/src/avc_internal.c \| 8 +++++++-
		17	1 file changed, 7 insertions(+), 1 deletion(-)
		18
		19	diff --git a/src/avc_internal.c b/libselinux/src/avc_internal.c
		20	index f735e73..eb0599a 100644
		21	--- a/src/avc_internal.c
		22	+++ b/src/avc_internal.c
		23	@@ -60,7 +60,13 @@ int avc_netlink_open(int blocking)
		24	int len, rc = 0;
		25	struct sockaddr_nl addr;
		26
		27	- fd = socket(PF_NETLINK, SOCK_RAW \| SOCK_CLOEXEC, NETLINK_SELINUX);
		28	+ fd = socket(PF_NETLINK, SOCK_RAW
		29	+#ifdef SOCK_CLOEXEC
		30	+ \| SOCK_CLOEXEC
		31	+#else
		32	+#warning SOCK_CLOEXEC undefined on this platform, this may leak file descriptors
		33	+#endif
		34	+ , NETLINK_SELINUX);
		35	if (fd < 0) {
		36	rc = fd;
		37	goto out;
		38	--
		39	1.7.10.4
		40


diff --git a/recipes-security/selinux/libselinux_2.1.13.bb b/recipes-security/selinux/libselinux_2.1.13.bb index 28b1ff1..caed650 100644 --- a/recipes-security/selinux/libselinux_2.1.13.bb +++ b/recipes-security/selinux/libselinux_2.1.13.bb
@@ -13,4 +13,6 @@ SRC_URI += "\
13	file://libselinux-pcre-link-order.patch \	13	file://libselinux-pcre-link-order.patch \
14	file://libselinux-drop-Wno-unused-but-set-variable.patch \	14	file://libselinux-drop-Wno-unused-but-set-variable.patch \
15	file://libselinux-make-O_CLOEXEC-optional.patch \	15	file://libselinux-make-O_CLOEXEC-optional.patch \
		16	file://libselinux-make-SOCK_CLOEXEC-optional.patch \
		17	file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
16	"	18	"


diff --git a/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch b/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch new file mode 100644 index 0000000..7be4381 --- /dev/null +++ b/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch
@@ -0,0 +1,35 @@
		1	From e783080f30e00d00800ff3491d88c62b2a1c637b Mon Sep 17 00:00:00 2001
		2	From: Joe MacDonald <joe.macdonald@windriver.com>
		3	Date: Tue, 15 Oct 2013 10:17:38 -0400
		4	Subject: [PATCH 3/3] libsemanage: define FD_CLOEXEC as necessary
		5
		6	In truly old systems, even FD_CLOEXEC may not be defined. Produce a
		7	warning and duplicate the #define for FD_CLOEXEC found in
		8	asm-generic/fcntl.h on more modern platforms.
		9
		10	Uptream-Status: Inappropriate
		11
		12	Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
		13	---
		14	libsemanage/src/semanage_store.c \| 5 +++++
		15	1 file changed, 5 insertions(+)
		16
		17	diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
		18	index 57ef49f..488a14a 100644
		19	--- a/libsemanage/src/semanage_store.c
		20	+++ b/libsemanage/src/semanage_store.c
		21	@@ -65,6 +65,11 @@ static const char *DISABLESTR="disabled";
		22
		23	#define TRUE 1
		24
		25	+#ifndef FD_CLOEXEC
		26	+#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors
		27	+#define FD_CLOEXEC 1
		28	+#endif
		29	+
		30	enum semanage_file_defs {
		31	SEMANAGE_ROOT,
		32	SEMANAGE_TRANS_LOCK,
		33	--
		34	1.7.10.4
		35


diff --git a/recipes-security/selinux/libsemanage_2.1.10.bb b/recipes-security/selinux/libsemanage_2.1.10.bb index dcd3037..900d608 100644 --- a/recipes-security/selinux/libsemanage_2.1.10.bb +++ b/recipes-security/selinux/libsemanage_2.1.10.bb
@@ -13,4 +13,5 @@ SRC_URI += "\
13	file://libsemanage-fix-path-len-limit.patch \	13	file://libsemanage-fix-path-len-limit.patch \
14	file://libsemanage-fix-path-nologin.patch \	14	file://libsemanage-fix-path-nologin.patch \
15	file://libsemanage-drop-Wno-unused-but-set-variable.patch \	15	file://libsemanage-drop-Wno-unused-but-set-variable.patch \
		16	file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \
16	"	17	"